From 454461d4840a949da4dfad5115d7e971bd1fd94a Mon Sep 17 00:00:00 2001
From: James Graham <J.Graham@software.ac.uk>
Date: Wed, 20 Feb 2019 14:17:14 +0000
Subject: [PATCH] Allow Application API tokens to be revoked by their owner
---
.../applications/application/detail.html | 23 +++++++++++++++++++
applications/urls.py | 4 ++++
applications/views.py | 18 ++++++++++++++-
pedasi/common/__init__.py | 0
profiles/models.py | 7 ++++++
5 files changed, 51 insertions(+), 1 deletion(-)
delete mode 100644 pedasi/common/__init__.py
diff --git a/applications/templates/applications/application/detail.html b/applications/templates/applications/application/detail.html
index cdeb12b..36f7b5f 100644
--- a/applications/templates/applications/application/detail.html
+++ b/applications/templates/applications/application/detail.html
@@ -1,6 +1,10 @@
{% extends "base.html" %}
{% load bootstrap4 %}
+{% block extra_head %}
+ <script src="https://cdn.jsdelivr.net/npm/js-cookie@2.2.0/src/js.cookie.min.js"></script>
+{% endblock %}
+
{% block content %}
<nav aria-label="breadcrumb">
<ol class="breadcrumb">
@@ -64,8 +68,27 @@
<td>
<span id="spanApiToken">
{% if application.proxy_user.auth_token %}
+ <script type="application/javascript">
+ function revokeToken() {
+ $.ajax({
+ dataType: "json",
+ url: "{% url 'applications:token' pk=application.pk %}",
+ method: "DELETE",
+ headers: {
+ "X-CSRFToken": Cookies.get("csrftoken")
+ },
+ data: null,
+ success: function (data) {
+ $('#spanApiToken').text("");
+ }
+ });
+ }
+ </script>
+
{{ application.proxy_user.auth_token }}
+ <button onclick="revokeToken();" class="btn btn-danger" role="button">Revoke API Token</button>
+
{% else %}
<script type="application/javascript">
function getToken() {
diff --git a/applications/urls.py b/applications/urls.py
index ae74341..0d4ad19 100644
--- a/applications/urls.py
+++ b/applications/urls.py
@@ -29,6 +29,10 @@ urlpatterns = [
views.ApplicationGetTokenView.as_view(),
name='token'),
+ path('<int:pk>/token',
+ views.ApplicationGetTokenView.as_view(),
+ name='token'),
+
path('<int:pk>/manage-access',
views.ApplicationManageAccessView.as_view(),
name='application.manage-access'),
diff --git a/applications/views.py b/applications/views.py
index 8256596..e9c6a01 100644
--- a/applications/views.py
+++ b/applications/views.py
@@ -98,7 +98,7 @@ class ApplicationGetTokenView(OwnerPermissionMixin, DetailView):
def render_to_response(self, context, **response_kwargs):
"""
- Get an existing API Token or create a new one for the currently authenticated user.
+ Get an existing API Token or create a new one for the requested :class:`Application`.
:return: JSON containing Token key
"""
@@ -112,3 +112,19 @@ class ApplicationGetTokenView(OwnerPermissionMixin, DetailView):
}
}
})
+
+ def delete(self, request, *args, **kwargs):
+ """
+ Revoke an API Token for the requested :class:`Application`.
+
+ :return: JSON containing Token key
+ """
+ self.object = self.get_object()
+ self.object.proxy_user.revoke_auth_token()
+
+ return JsonResponse({
+ 'status': 'success',
+ 'data': {
+ 'token': None,
+ }
+ })
diff --git a/pedasi/common/__init__.py b/pedasi/common/__init__.py
deleted file mode 100644
index e69de29..0000000
diff --git a/profiles/models.py b/profiles/models.py
index 1ef5590..738fa71 100644
--- a/profiles/models.py
+++ b/profiles/models.py
@@ -28,3 +28,10 @@ class User(AbstractUser):
"""
token, created = Token.objects.get_or_create(user=self)
return token
+
+ def revoke_auth_token(self):
+ """
+ Revoke and API auth token for this user.
+ """
+ self.auth_token.delete()
+
--
GitLab